Puppet agent to master communication with externally signed certificates

My security team has handed me a requirement around puppet communications. They have informed me that we are not allowed to use self-signed certificates anywhere in our environment.
So is there a way to have puppet use CA signed certificates rather than using its own internal CA?